HHS said the agreement was not an admission of liability by CardioNet, which manufactures ambulatory cardiac monitoring services to help physicians diagnose and treat patients with arrhythmias. The agreement was also not a concession from HHS that CardioNet violated HIPAA rules.

In January 2012, CardioNet told HHS that an employee had a laptop stolen outside of his home that contained unsecured electronic protected health information from 1,391 individuals. The next month, the company contacted the agency again to say that there were similar breaches effecting 2,219 individuals.

The Office of Civil Rights' investigation found that CardioNet had not implemented its standards of the HIPAA security rule. HHS also said that the company did not have policies or procedures regarding the implementation of safeguards for electronic protected health information.

As part of the corrective action plan, CardioNet agreed to provide HHS with a risk analysis of security risks and vulnerabilities related to electronic protected health information within 90 days of the plan’s start date. The company will also submit a risk management plan addressing any security risks and vulnerabilities within 90 days. In addition, it will review and revise its current security rule policies and procedures and security rule training program within 60 days.

If CardioNet determines that an employee failed to comply with policies and procedures, it must notify HHS within 30 days. Meanwhile, the company will submit annual reports as part of the two-year corrective action plan. CardioNet is also required to retain its records and provide them to HHS upon request for six years.